Exploring DORA: Operational Resilience in Insurance
With the cost of cyber-crime now widely reported as a whopping 0.8% of global GDP, the potential risks posed by cyber threats have become a significant focus for financial firms in recent years.
To address these challenges, governments and regulatory bodies have taken steps to increase protection of consumers and preserve the integrity of financial markets.
One such development is the EU’s Digital Operational Resilience Act (DORA), a comprehensive legislative framework aimed at enhancing operational resilience within European financial services.
DORA is a comprehensive regulatory initiative designed to strengthen the operational resilience of financial entities operating within the European Union.
Insurers and intermediaries
As well as other financial entities, the act encompasses insurers, intermediaries and critical data service providers, recognising their pivotal roles in safeguarding the financial interests of both consumers and businesses.
DORA aims to counteract potential threats arising from cyber incidents, IT disruptions, and other operational challenges, thereby ensuring the continuity and stability of these critical financial services.
So what do in-scope firms need to do to under the new legislation? Some of the key actions required under DORA are as follows:
Completing an Impact Tolerance Assessment (ITA). Under DORA, insurers and intermediaries are required to assess their potential risk exposures and identify the potential impact of disruptive incidents on their operational capabilities. This step enables entities to devise appropriate risk management strategies tailored to their own risk profiles.
Mapping and prioritising
Firms must identify and map their essential business services to understand their dependencies. By prioritising these services, organisations can allocate their resources effectively during crisis situations to minimise disruptions.
Scenario planning and test cycle. Regular stress tests and scenario planning exercises are mandated under DORA. These simulations help insurers and intermediaries gauge their resilience to various operational disruptions and therefore fine-tune their response strategies accordingly.
Incident reporting and communication. Timely and transparent reporting of incidents is essential to ensure proper co-ordination between firms, customers and regulators. DORA requires prompt reporting of cyber incidents and other disruptions.
Get ready soon
DORA expects in-scope firms to be fully compliant with the new regulations by January 2025. Therefore, the first step is to gain a comprehensive understanding of the DORA provisions and how they apply to your organisation. Insurers and intermediaries must conduct a detailed impact tolerance assessment to gauge the potential consequences of operational disruptions.
This process involves a thorough analysis of critical services, recovery capabilities, and resources required to minimise adverse impacts. Organisations should then develop robust incident response and crisis management plans, incorporating the lessons learned from scenario planning exercises. Regular testing and updates of these plans will ensure they remain effective and up-to-date.
Cybersecurity also features quite heavily in the legislation. Insurers and intermediaries must keep pace with their cybersecurity measures to protect customer data and ensure the integrity of their digital infrastructure.
Lastly, entities should establish clear and efficient mechanisms for cyber incidents and operational disruptions to promptly inform regulators and stakeholders when they happen.
DORA represents a significant step forward in safeguarding the financial sector from cyber threats and operational disruptions. For insurers, intermediaries and critical data service providers compliance with DORA is not only a legal requirement but also a vital responsibility to protect their customers and the stability of financial markets.
By implementing a robust global framework, it presents an opportunity for firms to raise the bar on their operational resilience efforts. As technology continues to evolve at its current rapid pace, maintaining this framework will be an ongoing process, demanding vigilance and consistency from all stakeholders involved.